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(54) Apparatus and method for depersonalizing Infbrmatlon 



(57) A conputer implemented method allows an 
owner or provider of data that contains personal identifi- 
ers (data provider) to distribute that data to a data user 
in a depersonalized form. i.e.. without revealing the 
identity of the individuals associated with the data. The 
data provider first separates the personal Information 
from the other data to create two data sets. The per- 
sonal identifying information is then provided to a 
Trusted Third Party (TTP). The TTP associates a unique 
identifier with the identifying information. This unique 
identifier replaces any data in the database that can be 
used to identify an individual, such as name, address or 
social security number. The TTP may also collect and 
store the personal identifying information so that it can 
process identifying information that rt acquires in the 
future to determine if the unique identifiers generated by 
the data provider or by the TTP refer to the same indi- 
vidual. The data provider associates its own unique 
identifier or the Identifier provided by the TTP with the 
other data to create depersonalized data that may be 
sent to a data user for analysis. In this manner, different 
records from one or more date providers that refer to a 
single individual can be matched by the data user, and 
the data provider is assured that no personal identifying 
information is distributed that would link an individual to 
a particular data record. The TTP transmits information 
that correlates unique identifiers from multiple data pro- 
viders to a data user. Each data provider transmits the 
depersonalized date, including the unique identifiers to 
the data user. The data user correlates the information 



from the different date providers before analyzing the 
data. 
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Description 



BACKGROUND OF THE INVENTK)N 



5 [0001 ] The present invention concerns the depersonalization of data associated with a particular individual and, in 
particular, a method for depersonalizing data from several sources without disclosing the personalized data 
[0002] In modern society, information relating to specific individuals is obtained t)y numerous organizations. Health- 
care, financial and commercial organizations such as hospitals, laboratories, banks, insurance conrpantes and retailers 
own data that could be used for research and development, marketing, and other business functions. There is, however 

10 a growing awareness for the necessity to maintain the privacy of the individuals connecting with the data In particular, 
information regarding an individual's health or financial status may be extremely sensitive. 

[0003] The analysis of this information often requires accessing data from multiple sources. For exanple. a study 
to d^ermine the effectiveness of a particular medication may need to access records from a group of caregivers that 
prescribe the medication and from a corresponding group of pfiarmacies who presaibe the medication. The data 
75 owned by each of the data providers contains sensitive information that they may be unable to share with the data user 
who will be analyzing the information. While the various data providers could remove any identifying information from 
their data and provide only the medical data to the data user, the data user would not be able to conrelate the data from 
the various sources and. thus, would lose information that would be needed in the analysis. 

[0004] Therefore, a need has arisen for a method for obtaining personal data from multiple sources without the abil- 
20 ity to identify the individuat associated with the data but with the ability to associate individual data Items from multiple 
sources as relating to a single individual. 

SUMMARY OF THE INVENTION 

26 [0005] The present invention relates to a computer implemented method and apparatus that allows an owner or 
provider of data that contains personal identifiers (data provider) to distribute that data to a data user in a depersonal- 
ized fomi. i.e.. without revealing the identity of the Individuals associated with the data. The data is othenvise 
unchanged. According to this method, a data provider separates the personal information from the other data to create 
two data sets. Only the personal kJentifying information is provided to a Trusted Third Party (TTP). The TTP generates 

30 an identifier that replaces any data in the database that can be used to identify an individual, such as name, address or 
social security humt>er. The ITP may also collect and store the personal identifying information so that it can process 
identifying information that it acquires in the future to determine if the identifiers generated by the data provider or by 
the TTP refer to the same individual. The data provider associates the identifier provided by the TTP with the other data 
to create depersonalized data that may be sent to a data user for analysis. In this manner, different records from one or 

35 more data providers that refer to a single individual can be matched by the data user, and the data provider is assured 
that no personal identifying information is distributed that would link an individual to a particular data record. 

DETAIL DESCRIPTION OF THE DRAWINGS 

40 [0006] 

Rgure 1 is a data flow diagram which Is useful for describing how data is transfenred among the varfous parties in 
the subject inverrtion. 

Figure 2 is a dataflow diagram which illustrates one exemplary data depersonalization method. 
45 Figure 3 is a data flow diagram that illustrates a second exemplary data depersonalization method. 

Figure 4 is a datafkiw diagram that illustrates a third exemplary data depersonalization method. 

Rgure 5 is a data flow diagram that illustrates a fourth exemplary data depersonalization method. 

Rgure 6 is a data f bw diagram that shows how multiple data providers may interact with a trusted third party to pro- 
vide data that may be conrelated by one or more data users. 
so Figure 7 is a t^ock diagram that shows an exemplary computer configuration that may be used to implement the 

methods described in Rgures 1 through 6. 

Rgure 8 is a flow-chart diagram of an exemplary method of Figure 6. 

Rgure 9 is a f fow-cfiart diagram of an exemplary method of Figures 3, 4 or 5. 

55 DETAILED DESCRIPTION OF THE INVENTION 



[0007] Briefly, the present invention is a method and apparatus for processing sensitive information, that identifies 
a person, so that it may be used for anonymous data analysis. In the embodiments of the invention described below, a 
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data provider, who owns a database containing sensitive infbmiation. divides the information into two parts, identifying 
infornnation and other information. Using the Identifying information, the provider generates, or has generated for it. a 
unique identifier that is linked to the Identification information In the data provider's database. The data owner then tags 
the other information with this unique identifier and provkies the tagged data to the data user, in each of the embodi- 

5 merits described below, the unique identifier Is generated by or registered with a Trusted Third Party (TTP) who is able 
to match the identifying information received from the data provider to other identifying information that may already be 
in the TTP*s datat)ase. A TTP is an entity that is under a contractual agreement to protect the identifying information 
from being disclosed, while maintaining and processing the data as necessary. By matching the identifying information, 
the TTP can link identifiers that are associated with data from multiple providers. These links may be provided directly 

10 to the data users to alfow the data users to correlate data from multiple sources. 

[0008] in the subject application, the word "depersonatizlng" is used to describe the process by which the kientify- 
ing irrfonnatlofris removed from a user data record and replaced by a unique identifier. This term encompasses the 
teftns "anonymizing" and "encoding" as they are used In the data processing arts. When data is anonymized. or 
encoded, all identifying information is removed from a record and a truly random identifier is assigned to represent the 

IS person. In addition, the term "depersonalizing" also encompasses a process by which an identifier that is not truly ran- 
dom is replaces the personal Identifying information in a data record. An identifier of this type may be. for example, a 
hash function value or other value produced from a predetermines subset of the identifying information. 
[0009] Fig. 1 shows a high-level data flow diagram of an exemplary information network. 110, with which the prin- 
ciples of the present invention may be used. In this exemplary embodiment, a data provider 112 owns or controls a 

20 database. 1 1 4. which, for exanrple, is organized as a plurality of data records, each record containing one or more data 
fields. The data for each person may be kept in a single record or it may be linked across multiple records. Fields or 
portions of the fields in each record contain data that can be used to identify the Individual, namely, personal identifiable 
attributes. These attributes include, for example, "name." "address" and "social security number". This Is an exenplary 
and not exhaustive listing of the identifiable attributes. 

25 [001 0] In addition to the identifying Information, the datatiase contains other information at>out the individual. This 
"other information" may Include, for example, medical infornnation, financial data, purchase activity information or wet}- 
site navigation data. The identifying information may also include non-identifying demographic data, for example, tiie 
person's occupatfon. their postal code or tiieir telephone area code. Depending on tiie type of "other information" in tiie 
database record, some of this demographic information may be classified as identifying information. For example, if the 

30 data record includes sensitive medical information tiien the entire postal code may k3e consklered Identifying informa- 
tion while a partial postal code, for example the first three digits of a five-digit zip code, would not be klentifying infor- 
mation. 

[001 1 ] Because the type of information tiiat may be considered to be identifying information varies with the type of 
data stored in the database, the data provider is best able to decide which information in the person's record is consid- 

35 ered to be identifying information and which information may be passed on to a data user for analysts. The data provider 
112 creates a file 113 from the database, each record of the file contains tiie fields having the identifiable attributes from 
each record in the database. The file 1 13 is sent to a Trusted Third Party (TTP) 1 16. The TTP 1 16 creates a unique 
ktentif ier to be associated with the identifying attributes. This Identifier can be alphabetic, numeric, alphanumeric, sym- 
bolic and the like. If the data in tiie database is sensitive, the unique identifier may be generated In a totally random fash- 

40 ion and in a manner that cannot be reversed, for example by taking the instantaneous value of the system clock register. 
If tiie data In the database is less confidential, the unique klentifier may be generated from the identifying information 
by a revers'it)le process. 

[0012] To generate the unique klentifier, the TTP 116 first compares the identifying data from a record in the file to 
records in an internal datak^ase 115 that contains Identifying information which has previously t>een processed tyy the 

45 TTP. Each record of tills database also contains a source identifier that Identifies the data provider, who owns tiie data 
associated with the identifying record, and links to otiier records in tiie datatjase that contain matching identifying infor- 
mation. If the TTP finds a matoh in its internal database and if the source of tiie previous data is the supplier of the cur- 
rent data then the TTP 116 uses the previously assigned unique identifier as the identifier for the new data. If tiie source 
of tiie previous data was not the supplier of tiie current data or if tiie TTP does not find a match for the data In Its data- 

50 base a new unique klentifier is generated for the data set Each unique identifier is specific to tiie data provider. 

[001 3] By asagning a different unique identifier to represent the same person for respectively different data provid- 
ers, the TTP ensures tiiat one data provider can not identify any data owned by another provider. Because each data 
provider has identifying information for all of the people In its database, if the same unique identifier were used for mul- 
tiple providers, one provider could link Its Identifying Information to depersonalized data that is owned by a different data 

55 supplier. This may result In a breach of confidentiality for that data. 

[0014] After retrieving or aeating the unique identifier, the TTP stores It Into a field of the appropriate record in the 
file 113, When all of the records have been processed, the TTP 116 returns the file 1 13 to the data provkier 112. The 
data provider creates a new database 120 containing the records of the original database from which the identifiable 
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attributes are removed and replaced with the unique identifier. The database 120 containing the random kJentifiers 
along with the data not determined to be personal identifying attributes are then sent to the data user 118. The data 
user now has useful data that has been depersonalized so that the data user does not have the ability to identify an 
individual that matches a particular set of data. 

5 [001 5] For sensitive data, it is desirable for the TTP 1 16 to protect the relationship between the personal identifying 
information and the unique identifiers. For this type of information, the random identifiers provided by the TTP 1 16 are 
desirably totally random; there should be no way for anyone other than the data provider 1 12 or the TTP 1 16 to relate 
the identifier with the individual Only In the circumstance where the data provider 1 1 2 has authority to grant and grants 
specific pemiission should the data user be able to obtain identifying information for any data in its possession. In this 

10 exemplary embodiment an individual may have multiple records within the database owned or controlled by the data 
provkier. In addition, as set forth above, the TTP 116 may have data on one person from multiple data providers. In 
order to link newly^received personal data to data already in the database 1 15, the TTP 116 executes a matching algo- 
rithm on the data that it receives. In any scenario in which a data user requires data from multiple providers, a TTP 1 1 6 
is necessary. 

15 [0016] Many matching algorithms may be used in the present invention. Exemplary matchirig algorithms are dis- 
closed in a paper by M. A. Jaro entitled "Prot)abilistic Linkage of Large Public Health Data Rles" Statistics in Medicine. 
vol. 1 4, John Wiley, pp 491 -498 (1 995) and In an article by I. R Fellegi et al. entitled "^A Theory of Record Linkage" Jour- 
nal of the American Statistical Association, vol. 64, No. 328. pp 1 183-1210 (1969). The simplest matching algorithm is 
a deterministic match. By this algorithm, individual data f iekis from the newly received personal data are compared to 

20 conresponding fields in the data from the database 1 15. If all of these fields match, then the newly received data is 
almost certainly for the person whose data is in the database. An exenrplary set of fields that may t>e used for a deter- 
ministic match are Last Name, First Name, Address and Social Security Number. Other fields such as Telephone 
Nun^er and Birth Date may also be used. 

[0017] Deterministic matching techniques may not identify all matches or even a large percentage of matches 
25 between two databases because of incomplete data or transcription enrors. One method for enhancing deterministic 
matching techniques is to employ prot^ilistlc techniques to determine the likelihood that two dissimilar fields match. 
Another technique Is to normalize the data, for example by expanding abbreviations and nicknames before performing 
the deterministic match or applying the prok>abilistic techniques. Yet another method is to analyze dissimilar fields in 
othennrise matching records by their edit distances to identify possible errors in transaiption. 
30 [0018] One exemplary data matching technique is presented t>elow. This method is disclosed in copending U.S. 
patent application No. 60/165,121 filed 15 November 1999 and is one of many possible matching methods tiiat may be 
used. The materials disclosed tiiereln are incorporated by reference herein to the extent they are material to the under- 
standing and practice of this invention. The exemplary matching technique comprises three steps, i) data standardiza- 
tion, ii) weight estimation, and iii) data comparison. 

35 

Dgfinitiong 

[0019] The following definitions and abbreviations are used for this exemplary emtxxiiment: ^•PrDt)ability: The 
probability that any random element pair will match by chance, as given by equation (1). 

40 

^ match /-V 

= (1) 

"A'B 

45 p-Probability: The reliability of the data elenrtent. If the Element Error Rate ^ .99 then p=1 — EER \ Else 

p=.99— EEfl 

Agreement: A condition such that a given element pair matches exactiy and both elements are known 
so ^ex^^ex 



Agreement Weight: The weight assigned to an element pair when they agree during the record matching process 
as shown in equation (2). 

55 



AW'. 



•iog2(e) (2) 



4 



15 



20 



25 



45 



EP1026 603A2 

Cartesian Product: The set of ordered pairs A*B^{[a,b)\ae A^be B] 

Disagreement: A condition such that a given element pair does not exactly match and t)oth elements are known 



Disagreement Weight: The weight assigned to an element pair when they disagree during the record matching 
10 process as shown in equation (3) . 



DW 



Element Error Rate: The proportion of element pairs where at least one element is unknown, e.g., null, as shown 
in equation (4). 

e = (4) 

Frequency Table: Summary of the number of times, and percentage of total different values of a variable occur 
Mean: Arithmetic average, as given in equation (5). 

30 

No Decision: A condition such that a given element pair where either one or both of the elements is unknown. 
Random Number Assignment: In the exemplary embodiment of the invention, every record in the data set is 
assigned a random number such that v blocks of approximately 1500 are created R = int[(L/ * P)+1] where R is 
the resulting Random Number, U is the Upper Bound (defined below) and P is a random function that returns a 
35 value between 0 and 1 . In the exemplary embodiment of the invention, P may be a pseudo random number gener- 
ator. 

Threshold: The threshold utilized in prot)abilistic matching is a binit odds ratio with a range of -oo^ oo. 

Upper Bound: Number of strata such that the data set is divided Into approximately equal rows of 1500 as shown 

in equation (6). 

40 



o = int( 



Num ber o f Records in Data Sef \ 
1500 ) 



As regards the computer and machine language used in this process, just akx>ut any piece of hardware capable of exe- 
cuting a fairly large number of calculations in short order will ffl! the bill. Any current state-of-the-art PC or server could 
be used. As for the operating system. UNIX is preferred, but Windows 98 or NT for Windows or the like coM be used. 
so The source code can be written in any language, tough Java if preferred. 

Pata $tan(jardizatiQn 

[0020] The first step of this process involves the standardization of data in an input file. Thte standardization is 
55 required for inaeased precision and reliability. The input file can contain any number of variat)les of which one or more 
are or may be unique to a particular data source such as an individual. Examples of useful variat^les are: member iden- 
tifier, drivers* license number, social security numk^er, insurance company code number, name, gender, date of birth, 
street address, city, state, postal code, citizenship. In addition, some identifiers can be further distilled down into their 
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basic, or atomic, components. For example, a name may be broken down into atomic components of first name, last 
name and middle Initial. 

[0021] During the standardization process, all character data is preferably trar^formed to a single case, and all 
at)breviations or nick-names are transformed to their longer forms. For example all letters may be transformed to upper- 
case. So for Instance, first names are standardized to uppercase. e.g., {BOB, ROB, ROBBY} = ROBERT. Common 
names for cities and streets may be transformed to the postal code. e.g.. in the U.S. to United States Postal Service 
standard. In the latter Instance this can be performed using Industry standard CASS certified software. 

Weioht Estimation 

[0022] A fundamental component of this exemplary algorithm is the process of estimating the agreement and dis- 
agreement welghj^ necessary for the probabilistic function. Weights are calculated based In probak>ilities of chance 
agreo/Tient using an iterative kx>otstrap technique. 

[0023] The f irst step in the exemplary weight estimation process is to determine the number of strata required such 
that the data set can be divided Into approximately equal blocks of 1500 rows (Fig. 2 - 201-219). see equation (6). 



u = int(! 



Number of Records in Data Sel 



1500 



(6) 



20 



[0024] The source file is then scanned and the records are assigned a random number between 1 and U. A data 
matrix is created containing a Cartesian product of records with a random number of 1 assigned. The resulting matrix 
is then scanned. Each element pair within each record pair Is assessed and assigned a value as shown in equation (7). 



25 



30 



^ X = (Agreement) 

0 if y4 = Null and/or = Null (No decision) 

-lit *Bg (Disagreemait) 



(7) 



where 



35 



A. 



40 



is the nth element from record A 

[0025] Once the matrix has been fully assessed, percentages for 



each are tabulated and stored. This process may be r^eated for a number (e.g. 15) of iterations. 
45 [0026] Mean percentages of Agreements and No Decisions are calculated for each data elemerrt. The p probability, 
or the reliability, for each data element is then calculated, see equation (8). 



so 



leie =s 



Nol 

else 99 -E 



(8) 
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[0027] The ^ probat)illty. or the probability that element n for any given record pair will match by chance. Is calcu- 
lated see equation (9). 
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\^~^ Peroont Agreement (^) 

[0Q28] Rom the p and \i probabilities, the disagreement and agreement weight formula may calculated employing 
equations (10) and (11) respectively. 

Disagreement = log 2(^7^ (1 0) 

Agreement = log (1 1) 

Unique Iden tffier Assignment 



[0029] The final stage of this process is the action of uniquely identifying entities within the input data set. 
[0030] Each record from the input file is evaluated against the reference datafc)ase 11 5 to determine if the entity rep- 
resented by the data has been previously identified using a combination of deterministic and probabilistic matching 
techniques. If it is judged that the entity is already represented in the reference set. the input record is assigned the 

20 unique identifier (UID) from the reference record that it has matched against. If it is judged that the entity represented 
by data is not yet in the reference set. a new UID is randomly generated and assigned. Random values may be gener- 
ated using many different algorithms. As set forth above, if the data is sensitive, it is desirable that the random identifier 
be truly random, generated, for example, using the instantaneous value of the system dock register. For less sensitive 
data reversible methods may be used. It is desirable, however, for the Identif ter to be unique; only one person should be 

25 associated with any one Identifier. This random identifier may be numeric, alphanumeric, or symbolic (e.g. a spatial pat- 
tern or hologram). 

[0031] After the UID assignment occurs, the input record is evaluated, in its entirety, to determine if the record is a 
unique representation of the entity not already contained in the reference table. If it is a new record, then it is inserted 
into the reference database 1 1 5 for fixture use. 



30 



35 



40 



45 



Deterministic Matching Technique 

[0032] The exemplary deterministic matching technique employs simple Boolean logic and is a}:^lied after the data 
has been standardized. Two records are judged to match if certain criteria are met such as the following: 

First Name Matches Exactly 
Last Name Matches Exactly 
Date of Birth Matches Exactly 

Social Security Nurrt>er OR Member Identifier Matches Exactly 

[0033] If two records satisfy the criteria for deterministic matching, no probabilistic processing occurs. However, if 
no deterministic match occurs, the input record is presented for a prot)abilistic match. 

Probabilistic Matching Technique 



[0034] The first step in the probabilistic matching process is to build a set of candidate records from the reference 
table based on characteristics of specific elements of the input record. This process is referred to as blocking, the set 
of candidate records is referred to as the k)locking tat>le. All data sets do not use the same characteristics, the elemerrts 
used in this process are determined through data analysis. It is suggested, however, that the blocking variables include 
50 those elements that are somewhat unique to an individual, e.g., social security number, or a combination of date of birth 
and last name. Upon completon of the construction of the t)locking table, each element for each candidate record is 
compared against its corresponding element from the input record. See equation (12) for the scoring mechanism. 

55 
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5 



Agreement Weight if = 
Oir>4 ^NuUaud/orB =Ntdl 





(12) 



Disagreement Weight if *Bg 



10 where 



t5 is the nth element from record A 

[0035] A composite weight is then calculated for all carKlidate records, see equation (1 3). 



N 



(13) 



20 



[0036] The candidate record with the highest conrposite weight is then es/aluated against a predefined threshold. If 
the weight meets or exceeds the threshold, the candidate record is judged to match the input record. If the weight does 

25 not exceed the threshold, it is assumed that the input record represents an entity not yet included in the reference set. 
[0037] The exemplary matching technique does not attempt to determine whether two fields that disagree repre- 
sent the same data. H, for example, because of a transaiption error, a social security number of 123 45 6789 were 
recorded as 123 45 6798. the algorithm set forth akx>ve would indicate disagreement. One alternative enhancement to 
the algorithm set forth above may be to employ some measure of similarity such as Edit Distance between similar fields. 

30 For e}»nr!ple. the social security numbers descrflsed above have an edit distance of one because a digit substitution of 
the last two digits would produce the correct result. This measure of similarity may be employed, for example, as a part 
of the probabilistic process or as a post processing step to confirm that the result of the probabilistic process is correct 
[0038] Rgures 2, 3. 4 and 5 show alternative embodiments for employing a TTP 1 1 6 in the anonymous transfer of 
sensitive information from a data provider 11 2 to a data user 1 1 8. Although each of the emt)odimen1s includes a single 

35 data provider, it is contemplated that, except for Figure 2, all embodiments may be expanded to include multiple inde- 
pendent information providers. The embodiment shown in Figure 2 may include multiple information sources from a sin- 
gle information provider. One implementation that illustrates multiple information providers is described below with 
reference to Figure 6. 

[0039] In the embodiment shown in Rgure 2. a data supplier 112 processes input information in the database 1 1 1 
40 to separate the personal data 113 from the other data in the database. The personal data is sent to the TTP 1 16 for 
processing, as described above. The TTP 116 returns the personal data with each record now including a unique iden- 
tifier. The data supplier 112 then matches the unique identifier to the data in the input datat>ase 1 1 1 and separates the 
other information and the associated unique kjentifiers into a depersonalized database 120. This depersonalized data- 
base is then sent to the data user 1 1 8 for analysis. 
45 [0040] In the exemplary embodiment shown in Rgure 2, there is no direct communication between the TTP 116 and 
the data user 118. This emtxxiiment may be used where a single data provider irtcludes multiple data sources and 
needs to match the data from the various data sources. One example of this is a hospital environment in which billing 
records, patierrt treatment records, pharmacy records, radiology records and therapy records may be kept separately, 
perhaps by separate contractors. The hospital may want to match these records internally for its own use and may want 
50 to provide the data to an external data user. In this emtxxJiment, the TTP 1 1 6 matches the records from the various data 
sources and provides a single unique identifier for each person anrmg all of the sources. 

[0041 ] The exemplary embodiment shown in Figure 3 differs from that shown in Figure 2 in that the TTP 1 16 does 
not communicate the unique identifier to the data provider. In this emtxxjiment, the provider 1 1 2 processes its input 
database to generate two databases. One datak>ase. 113 has only identifying information and the other database has 
55 only the other inlbnmation. The data provider assigns common identifiers to corresponding records in the two data- 
bases. These identifiers may be as simple as a record number or as complex as a random identifier for a particular indi- 
vidual. In the first instance, the data provider makes no attempt to link multiple records for the same person. In the 
second instance, the data provider has already linked the records and has placed the unique identifier for the person 
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into both the records of the database 11 3 and the corresponding records of the datebase 1 20. Where the data provider 
has assigned unique identifiers, the identifiers may be random, pseudo random or reversible, tt is noted, however, that 
reversible unique identifiers may only be used in situations where at least some personal infbnrtation may be disclosed. 
[0042] The database 1 1 3 is provided to the TIP 1 16 where it is processed, as described above, to match records 
having the same identifying irrfbrmation to each other and to records in the internal datak)ase (not shown) of the TTF 
lie. 

[0043] At the same time that the identifying data is sent to the TTP, the datat)ase 120 confining the other data is 
sent to the data user 118. After receiving the datat>ase 1 20. the data user warts to receive correlating data 3 1 0 from the 
TTP 1 1 6. This correlating data matches the record identifiers or unique identifiers from the data provider to unique iden- 
tifiers generated by the TTP. The data user adds the unique identifiers generated by the TTP 1 16 to the appropriate 
records of the database 1 20 and processes the other information using the TTP unique identifiers. 
[0044] When the system shown in Figure 3 is used with multiple data providers, the correlating data 310 provided 
b/the TTP 1 16 may also include a table indicating con-espondence among the unique identifiers or record numbers 
provided by the multiple data providers. Using this information, the data user 118 may associate data from the multiple 
providers before performing the data analysis. The system shown in Figure 4 is similar to that descrit>ed above with ref- 
erence to Figure 2 except that, in the system of Figure 4, there is communication between the TTP 116 and the data 
user 118. In Figure 4, the data supplier sends the iderrtifying information to the TTP 116 who matches the data, adds 
unique identifiers and sends the identifying information with the unique identifiers back to the data supplier 112. The 
data supplier then copies the unique identifiers from the identifying information records to the associated other informa- 
tion records and provides the other information records to the data user 118. The data user 1 18 then receives correlat- 
ing data (410) directly from the TTP 116. In this instance, the coaeiating information includes unique identifiers from 
other data suppliers that correspond to the unique identifiers in the depersonalized data 1 20 that is provided by the data 
supplier 112. 

[0045] In the system shown in Figure 4. this correlating data 410 may be provided by the TTP 1 16 to the data user 
1 1 8 at the request of the data provider 1 1 2 or it may be requested by the data user 1 1 8. When the data is requested by 
the data provider, the TTP provides correlating information for all of the data suppliers in its database. When the data 
user asks for data, however, it requests information from only those data providers from which it receives data. 
[0046] Rgure 5 shows a system that is similar to the system shown in Figure 3 except that, rather than send all cor- 
relating data to the data user the TTP 116 sends con^eiating data to the data user 118 only in response to a specific 
request. As with the system shown in Figure 4. that request may be for only those data providers who supply data to 
the data user 118. 

[0047] In any of the systems shown in Rgures 1 through 5, it may be necessary for the data user to identify tfie per- 
son whose data is being evaluated. If. for example, the data user 1 18 is processing medical data and identifies a life- 
threatening condition, the data user may need to notify the individual. In this instance, the data user may ask the data 
supplier for the identifying information. In situations where the unique identifiers being used by the data user do not 
match the identifiers held by the data provider, the data provider 112 may then authorize the TTP 116 to divulge the 
information to the data user 118. 

[0048] Rgure 6 illustrates another exemplary emkxxjiment using the principles of the present inventk>n. In this 
emtKxJiment. The Trusted Third Party 1 1 6 provfcles each data provider 1 1 2a, 1 1 2b and 1 1 2c with software and/or hard- 
ware that performs the depersonalizing process and a supporting database 1 15a, 1 15b and 1 15c that holds the identi- 
fied depersonalized data. Each database 1 15a. 1 1Sb and 1 15c contains individual identifiatsle attributes and individual 
identifiers for the respective data provider 1 12a, 1 12b and 1 12c obtained from a central database 115 owned or con- 
trolled by the TTP 116. The central database 1 15 is populated with information obtained from authorized sources of 
such information during past processing. For each record the data provider wishes to supply to a data user 118. the 
data provider extracts the identifying fields for the record and inputs them into the depersonalizing process. The deper- 
sonalizing process assigns the random identifier by matching the information held by the data user with information pre- 
viously stored in the database provided by the Trusted Third Party. If no matching data is found in the respective 
database 1 15a. 1 15b and 1 15c, a unique and possibly random identifier is assigned and provided as output from the 
process. If a match with previously depersonalized data is encountered, the unique identifier assigned initially is pro- 
vided as output from the process. The data providers 1 12a. 1 12b and 1 12c sutjstitute the unique identifiers for the indi- 
vidual Identifiable attrit)utes in the record to create respective depersonalized records. The data suppliers then send the 
depersonalized records to the data user 1 18. 

[0049] In order to enable the linking of multiple sources of depersonalized data, each data provider 1 1 2a, 1 1 2b and 
1 12c supplies, to the TTP 1 16, a file containing the identifying data and the unique identifiers assigned by the data pro- 
vider's depersonalizing process 1 16a. 1 16b and 1 16c. The TTP correlates these files to identify matches among the 
identifying information records provided by the r^pective data providers and stores the unique identifiers, with indica- 
tions of any correlation, within the central database. When authorized by the data provider, the TTP may supply infor- 
mation to the data user showing the random identifiers from any of the data provider that relates to the same individual, 
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thus allowing the data user to create a linked depersonalized database 120. 
[0050] In some instances, a data provider 1 1 2a will not supply the identifying data to the TTP 11 6. In this instance, 
the TTP 116 will maintain a central database that is preiX)pulated with data from puWic sources, such as telephone 
directories, and will supply the matching algorithms to the data provider. The TTP 1 16 will receive only those files from 
a data supplier that have been previously matched with the TTP 1 16 database. It is apparent that correlation of data 
within certain groups of individuals who do not exist in the public databases, such as children, wa^ be excluded from 
the data user. However, the process fevors false negative correlation over false positive. 

[0051] A practitioner skilled in the art would recognize the many permutations of the t^sic concept of the present 
invention, tfiat is, the use of a triced third party with a data provider and a data user to depersonalize data as the data 
passes from provider to user. The embodiments described above are exemplary in nature, and do not constitute an 
exhaustive listing of the various ways this invention may be implemented. 

[0052] Rgure^ is a kslock diagram of an exemplary physical implementation of any of the information networks 
showp in Figures 1 through 6. The exemplary system is linked by a local area or wide area network 716 which may also 
be connected to a global information network, such as the Internet, by a direct comrrunications interface 718 and by 
removable media 722. The exemplary system shown in Figure 7 includes six processing systems, 710. 730, 740, 760, 
770 and 780. Each of these systems may include any of the oomnrunication interfaces shown for processing system 
710. Each of the systems 710, 730, 740, 760, 770 and 780 has an associated database 712. 732, 742. 762. 772 and 
782. The databases maintained by the data provider, data user and TTP may reside on any corrvnerdally availak)le host 
computer, as currently known in the art. 

[0053] The exerrplary processing system 71 0 includes a host computer 71 4 and a network interface 71 6 by which 
the host computer 714 may communicate with other data processing systems via a k)cal area network, a wide area net- 
work or a glok>al infonmation network. As shown In Figure 7, the host computer 714 communicates with the processing 
systems 740 and 730 via a local area network (LAN) 717. Computer 714 also uses the LAN 717 to communicate with 
a global information network server 750 and, through the server 750 and global information network 752, to remote 
users 760 and 780. In addition to the network interface, the host computer 714 of the data processing system 710 
Includes a communications interface 718. for example, a modem, through which the processing system 710 nrtay oom- 
muntoate with the remote user 770. The processing system 710 also includes an input/output (t/0) processor 720 which 
is coupled to a removat^le media device 722, for example a diskette drive, through which the host computer can com- 
municate with any other computer system that does not have a direct or indirect data communication path with the host 
computer 714. 

[0054] Each host computer may contain one or more processors (not shown), memory (not shown), input and out- 
put devices (not shown), and access to mass storage (not shown). Each processing system may be a single system or 
a network of computers, as currently krmvn in the art. The data providers. TTP and data users may exchange data over 
computer network such as LAN 71 7 or by physically transferring data on removable media 722 from location to location. 
The system may also be implemented across a global inforn^tion network such as the Internet. The host computer and 
the global information network may also communicate with a plurality of remote users. 

[0055] The term "database" may be broadly interpreted to mean any database using records and fieMs. or their 
equivalent The method is not limited by the high>level language used to code the data or the language used to code 
the programs which implement the required data processing. It is contemplated that the subject invention may be prac- 
tk;ed in computer software executed by the data provider(s) 1 12, trusted third party 116 and data user 118. This com- 
puter software may be implemerrted on a earner, such as a diskette. CD-ROM, DVD-ROM or radio frequency or audk) 
frequency cannier wave. 

[0056] Figures 8 and 9 are fbw-chart diagrams which illustrate exemplary emtxxiiments of the invention. Figure 8 
illustrates a process such as that shown in Figure 6 and Rgure 9 shows a process such as that shown in Figures 3. 4 
or 5. 

[0057] In Figure 8. at step 81 0, the TTP 116 provides the encoding process and encoding database to two retailers, 
retailer 1 12a and retailer 1 12b. The retailers implement the process and datat^ase within their company The datatsases 
1 1 5a and 1 1 5b provided by the TTP 1 16 in this exemplary emkxxliment of the invention are pre-populated with informa- 
tion supplied from the TTP central database 1 15. The information provided does not include any unique identifiers. 
At step 812, each of the retailers 1 12a and 1 12b extracts the individual demographic attributes and individual identifiers 
from each data record it wishes to sent to the data user 1 18. in this example, a marketing agency. For each record, the 
information is processed through TTP's supplied encoding process. The encoding process, at step 814 assigns a 
unique identifier to each record. Next, at step 814, the retailers 112a and 112b create the depersonalized data by 
replacing the individual demographic attributes and individual identifiers with the single unique identifier provided by the 
encoding process and send the depersonalized data to the marketing agency 118. 

[0058] Next, at step 818, the retailers 1 1 2a and 1 1 2b send, to the TTP 1 1 6. the unique identifiers assigned for each 
record where they encountered a match during the encoding process execution. The TTP 116. at step 820 stores the 
unique identifier assignment information provided by the retailers 1 12a and 1 12b in its central database 1 15. Also at 
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step 820. the TTP 116 sends the unique identifiers for the retailers 1 1 2a and 1 1 2b, which Wrfk to the same individual, as 
the correlating infomiation to the marketing agency 118. 

[0059] At step 822, the marketing agency links the data using the correlating information and performs its marketing 
study This study is performed without the ability to identify any individual person. As illustrated by the arrow from block 

5 822 to block 812. the process is iterative. Periodically, the TTP 1 16 sends updates to the encoding process and data- 
base to the retailers 112a and 112b. These updates result from updates / additions to the encoding process central 
database obtained by TTP 1 1 6. After processing these updates, the retailers 1 1 2a and 1 1 2b send back to the TTP 1 16 
all unique identifiers that were previously assigned by the retailers to the newly supplied information. 
[0060] It is noted that in this entediment of the invention, the retailers 1 12a and 1 12b never provided any identif i- 

10 able retail information. The retail data provided by the retailers to the marketing agency had no individual kJentifiable 
attributes. Thus, the marketing agency 1 1 8 never knew the identity of the actual individuals. Nonetheless, the marketing 
agency 1 1 8 was able to use the power of the retailer's information to enhance marketing study capability. 
[0061] In the exemplary embodiment of the invention shown in Rgure 9, a manufacturer 1 18 wishes to use the 
healthcare information of three local healthcare providers to identify the health habits of a specific disease state. Three 

15 data providers 112, Provider A. ProviderB and ProviderC have information which identifies the individual (for example: 
Member numt)er, social security number, name, etc.). The manufacturer 118, Provider A, ProviderB and ProviderC con- 
tractually authorize a Tmsted Third Party (TTP) 1 16 to encode the healthcare data using the healthcare data encoding 
process shown in Figure 9. 

[0062] At step 910 of this process. ProviderA, ProviderB and ProviderC each extracts the individual identifiable 
20 information from their internal databases 1 1 1 of healthcare records into a file 1 13. At step 912. ProviderA. ProvkierB 
and ProviderC send the files to TTP 116. 

[0063] At step 91 4, the TTP 1 1 6 identifies each individual using ifs matching process and assigns an Encoding Key 
to each record. At step 91 6, the TTP 1 1 6 sends the files with the corresponding Encoding Keys back to ProviderA. Pro- 
viderB and ProviderC. Next, at step 916, ProviderA. ProviderB and ProviderC replace the individual attributes for each 

25 record they wish to send to the manufacturer 1 18 with the encoding key received from the TTP 116. Also at step 91 8, 
ProviderA, ProviderB and ProviderC send the encoded healthcare information files to the manufacturer 118. At step 
920, the manufacturer receives the encoded healthcare information files and obtains the correlating data from the TTP 
116. Rnally. at step 922, the manufacturer 118 links the data from ProviderA. ProviderB and ProviderC and completes 
its study It is noted that this study is completed without the manufacturer being able to identify any person. 

30 [0064] While the inverrtion has been described in terms of a nuniber of exemplary emkxxiiments, it Is contemplated 
that it maybe practiced as described above with variations that are within the scope of the appended claims. 

Claims 

35 1 . A method of distritxjting data records, which include identifying information fields and other data f tekis, in an infor- 
mation network comprising a data provider, a data user and a trusted third party, wherein the kientifying information 
in each record kientif ies a person, saki method comprising the steps of: 

a) separating the identifying Information f ieUs from the other data f iekis for each data record to generate kten- 
40 tifying records; 

b) transfen-ing a copy of the kientifying records to the trusted third party: 

c) associating, by the trusted third party, each of the identifying records with a unique kJentifier. wherein a 
respectively different unique identifier is assigned to each person kientified by one or more off the identifytng 
records; 

45 d) transfening, by the trusted third party, the uruque kJentifiers to the data provkler; 

e) associating, by the data provider, the other data fields with the respective unk|ue kientifiers to form deper- 
sonalized data; and 

f) transferring, by each of the data provkiers. the depersonalized data to the data user. 

so 2. A method according to claim 1 wherein the step of associating the identifying records by the trusted third party 
includes the step of generating a random kientif ier that cannot be used to recover any of the kientifying information 
fields as the unique identifier. 

3. A method of distributing data records, which include identifying information fields and other data f iekls. in an infor- 
55 mation network conrprising a plurality of data provkiers, a data user and a trusted third party, wherein tine identifying 
information in each data record identifies a person, saki method comprising the steps of: 

a) separating, by each of the data provkiers, tiie kientifying information f iekis from the other data f iekls for each 
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data record to generate identifying records: 

b) transferring, by each of the data providers, a copy of the identifying records to the trusted third party; 

c) associating, by the trusted third party, each of the identifying records, with a unique identifier, wherein a 
respectively different unique identifier is assigned to each individual person identified by one or more of the 

5 identifying records; 

d) transferring, by the trusted third party, the unique identifiers to the respective data providers from which the 
identifying records used to generate the unique identifiers were received; 

e) associating, by each of the data providers, the other data fields with the respective unique identifiers to form 
depersonalized data; and 

10 f) transferring, by each of the data providers, the depersonalized data to the data user. 

4. A method acQprding to any one of claims 1 to 3 wherein the step of associating, by the trusted third party, each of 
Xt^e identifying records, with a unique identifier, includes the step of generating a random identifier that cannot be 
used to recover any of the identifying information fields as the unique identifier, wherein when the identifying infor- 

75 mation fields provided by more than one of the plurality of data providers corresponds to one person, respectively 
different unique identifiers are generated for each of the more than one information providers. 

5. A method according to any one of claims 1 to 4 wherein the step of associating, by the trusted third party each of 
the identifying records, with a unique identifier further includes the steps of: 

20 

a) recording, by the trusted third party, a correlation of each person for whom multiple unique identifiers are 
assigned to form correlating Information; and 

b) transferring, by the trusted third party, the conrelating information to the data user. 

25 6. A method according to claim 5 wherein the step of transferring, by the trusted third party, the conrelating information 
to the data user, includes the steps of 

a) receiving, from the data user, a request for correlating information for specific ones of the plurality of data 
providers; and 

30 b) transferring the correlating information for only the specific ones of the plurality of data providers. 

7. A method of distributing a plurality of data records, which include identifying information fields and other data fields, 
in an information network comprising a plurality of data providers, a data user and a trusted third party, wherein the 
identifying information in each data record identifies a person, said method comprising the steps of: 

35 

a) generating, by each of the data providers, a plurality of first unique identifiers from the identifying information 
fields of the plurality of data records; 

b) transferring, by each of the data providers, a copy of the Identifying Information fields from each of the plu- 
rality data records and a respective copy of each of the plurality of unique Identifiers, as a respective plurality 

40 of identifying records, to the trusted third party; 

c) transferring, by each of the data providers, a copy of the other data fields from each of the plurality data 
records and a respective copy of each of the plurality of first unique identifiers, as a respective plurality of data 
records, to the data user; 

d) associating, by the trusted third party, each of tiie identifying records, with a second unique identifier. 
45 wherein a respectively different second unique identifier is assigned to each individual person identified by one 

or more of the Identifying records; 

e) transfen-ing. by the trusted third party, tiie first unique identifiers and the second unique identifiers to the data 
user; and 

f) associating, by the data user, the other data records provided by the data provider with tiie unique identifiers 
so provided by the trusted third party. 

8. A metfiod of processing and distributing a plurality of data records, wherein each of the plurality of data records 
contains information used to identify a person, by a trusted third party, said metiiod comprising the steps of: 

55 a) receiving, from a plurality of data providers, a copy of tiie plurality of identifying records; 

b) associating each of the identifying records, with a unique identifier, wherein a respectively differerrt unique ' 
identifier is assigned to each individual person identified by one or more of the identifying records; 

c) matching records associated witii a particular person among tiie identifying records provided by tiie plurality 
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of data providers, to generate the second unique identifier which is the same for all identifying records provided 
by the plurality of data providers; and 

d) transfenring the unique identifiers to the respective data providers from which the identifying records used to 
generate the unique identifiers were received. 

9. A carrier containing a set of instructions for causing a general purpose computer networl^ comprising a data pro- 
vider, a data user and a trusted third party, said network accessing a plurality of data records which include identi- 
fying information fields and other data fields, wherein the identifying information in each record identifies a person, 
to perform the following steps: 

a) separating the identifying information fields from the other data fields for each data record to generate iden- 
tifyingrecords; 

^ b) transfenring a copy of the identifying records to the trusted third party; 

c) associating, by the trusted third party, each of the identifying records with a unique identifier, wherein a 
respectively different unique identifier is assigned to each person identified by one or more of the identifying 
records; 

d) transferring, by the trusted third party, the unique identifiers to the data provider; 

e) associating, by the data provider, the other data fields with the respective unique identifiers to form deper- 
sonalized data; and 

f) transf^ring, by each of the data providers, the depersonalized data to the data user. 

10. A carrier according to daim 9 wherein the step of associating the identifying records by the trusted third part 
includes the step of generating a random identifier that cannot be used to recover any of the identifying information 
fields as the unique identifier. 

11. A carrier containing a set of instructions for causing a network of general purpose computers comprising a plurality 
of data providers, a data user and a trusted third party, said network accessing a plurality of data records which 
include identifying infbnnation and other fields, wherein the identifying information in each data record identifies a 
person, to perform the following steps: 

a) separating, by each of the data providers, the identifying information fields from the other data fields for each 
data record to generate identifying records; 

b) transfening, by each of the data providers, a copy of the identifying records to the trusted third party; 

c) associating, by the trusted third party, each of the Identifying records, with a unique identifier, wherein a 
respectively different unique Identifier is assigned to each individual person identified by one or more of the 
identifying records; 

d) transfening, by the trusted third party, the unique identifiers to the respective data providers from which the 
identifying records used to generate the unique identifiers were received; 

e) associating, by each of the data providers, the other data fields with the respective unique identifiers to form 
depersonalized data; and 

f) transferring, by each of the data providers, the depersonalized data to the data user. 

12. A carrier according to daim 1 1 wherein the step of assodating. by the trusted third party, each of the identifying 
records, with a unique identifier, includes the step of generating a random identifier that cannot be used to recover 
any of the identifying information fields as the unique identifier, wherein when the identifying information fields pro- 
vided by more than one of the plurality of data providers con-esponds to one person, respectively different unique 
identifiers are generated for each of the more than one information providers. 

13. A carrier containing a set of instructions for causing a network of general purpose computers, said network com- 
prising a plurality of data providers, a data user and a trusted third party, said network accessing a plurality of data 
records which indude identifying information f ields^and other data fields, wherein the identifying information in each 
data record identifies a person, to perform a method comprising the steps of: 

a) generating, by each of the data providers, a plurality of first unique identifiers from the Identifying information 
fields of the plurality of data records; 

b) transferring, by each of the data providers, a copy of the identifying information fields from each of the plu- 
rality data records and a respedive copy of each of the plurality of unique identifiers, as a respective plurality 
of identifying records, to the trusted third party; 
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c) transferring, by each of the data providers, a copy of the other data fields from each of the plurality data 
records and a respective copy of each of the plurality of first unique identifiers, as a respective plurality of data 
records, to the data user; 

d) associating, by the trusted third party, each of the identifying records, with a second unique identifier. 
5 wherein a respectively different second unique identifier is assigned to each individual person identified by one 

or more of the identifying records; 

e) transferring, by the trusted third party, the first unique identifiers and the second unique identifiers to the data 
user; and 

f) associating, by the data user, the other data records provided by the data provider with the unique identifiers 
10 provided by the trusted third party. 

14. The carrier of-claim 13 further comprising instructions to perform the steps of matching records associated with a 
particular person among the identifying records provided by the plurality of data providers, to generate the second 
unique identifier which is the same for all identifying records provided by the plurality of data providers, wherein the 

IS matching is performed by the trusted third party 

15. A carrier containing a set of instructions for causing a general purpose computer accessing a plurality of data 
records, wherein each of the plurality of data records contains information used to identify a person, by a trusted 
tfurd party, to perform the steps of: 

20 

a) receiving a plurality of identifying records from a first data provider; 

b) associating each of the plurality of identifying records with a unique identifier, wherein a respectively different 
unique identifier is assigned to each person identified by one or more of the plurality of identifying records; and 

c) transferring the unique identifiers to the data provider. 

2S 

1 6. A carrier according to claim 1 5 wherein the step of associating the identifying records includes the step of generat- 
ing a random Identifier that cannot k>e used to recover any of a plurality of identifying Information fields as the unique 
identifier. 

30 17. A ccuTier containing a set of instruction for causing a general purpose computer accessing a plurality of data 
records wherein each of the plurality of data records contains information used to identify a person by a trusted third 
party, to perform the steps of: 

a) receiving, from a plurality of data providers, a copy of the plurality of identifying records; 
35 b) associating each of the identifying records, with a unique identifier, wherein a respectively different unique 

identifier is assigned to each Individual person Identified by one or more of the identifying records; 

c) matching records associated with a particular person among the identifying records provided by the plurality 

of data providers, to generate the second unique identifier which Is the same for all identifying records provided 

by the plurality of data providers; and 
40 d) transferring tiie unique identifiers to the respective data providers from which the identifying records used to 

generate the unique identifiers were received. 

18. A carrier according to claim 17 wherein tiie step of associating, by the trusts third party, each of the Identifying 
records, with a unique identifier. Includes the step of generating a random identifier that cannot be used to recover 
45 any of tiie identifying information fields as the unique identifier, wherein when the identifying information fields pro- 
vided by more than one of tiie plurality of data providers corresponds to one person, respectively different unique 
identifiers are generated for each of tiie more than one Information providers. 
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□ IMAGE CUT OFF AT TOP, BOTTOM OR SffiES 



□ BLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

□ LINES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: 

IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



BEST AVAILABLE IMAGES 




FADED TEXT OR DRAWING 



